[EXTERNAL] Re: BMC update via TFTP

Neeraj Ladkani neladk at microsoft.com
Wed Dec 11 05:58:10 AEDT 2019 

Are there any thoughts to get rid of BMC reset to trigger FW update? I understand FW reset is required after the update. 


-----Original Message-----
From: openbmc <openbmc-bounces+neladk=microsoft.com at lists.ozlabs.org> On Behalf Of Joseph Reynolds
Sent: Monday, December 9, 2019 5:25 PM
To: Alexander Tereschenko <aleksandr.v.tereschenko at linux.intel.com>; openbmc at lists.ozlabs.org
Subject: [EXTERNAL] Re: BMC update via TFTP

On 12/9/19 10:06 AM, Alexander Tereschenko wrote:
> On 06-Dec-19 23:52, Joseph Reynolds wrote:
>> I was thinking along the lines of adding [SFTP][] (or SCP) support 
>> and then migrating existing TFTP users to the new secure solution.
>>
>> That is, the BMC admin performing [code update][] can currently get a 
>> firmware image via POST DownloadViaTFTP to URI 
>> /xyz/openbmc_project/software.
>> My idea is to offer a DownloadViaSFTP method (or preferably a Redfish
>> API) for this.  Note that the TFTP download is disabled by default 
>> per [bmcweb config][].
>>
>> Once OpenBMC supports downloading firmware via SFTP, we can encourage 
>> our users to set up their SFTP servers and take down their TFTP 
>> servers.  I realize that sounds easy, but I don't have a feeling how 
>> difficult that would be in practice.
>>
>> Does that sound feasible?
>>
>> - Joseph
>>
>> [SFTP]: 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fman
>> .openbsd.org%2Fsftp-server&data=02%7C01%7Cneladk%40microsoft.com%
>> 7C9cc71f33a3014260e36f08d77d0fe11b%7C72f988bf86f141af91ab2d7cd011db47
>> %7C1%7C0%7C637115379469052876&sdata=Zj%2BjAlaXlyeBkTsl7MvtbPoSeH7
>> az%2FAJS1UxXeCy0Pc%3D&reserved=0
>> [code update]: 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
>> hub.com%2Fopenbmc%2Fdocs%2Fblob%2Fmaster%2Fcode-update%2Fcode-update.
>> md&data=02%7C01%7Cneladk%40microsoft.com%7C9cc71f33a3014260e36f08
>> d77d0fe11b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6371153794690
>> 52876&sdata=ScV14ytcPCYn%2BlI%2B9lPgkgKY4yVh%2BrwMVgdbnB0h5z4%3D&
>> amp;reserved=0
>> [bmcweb config]: 
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
>> hub.com%2Fopenbmc%2Fbmcweb%2Fblob%2F41d1d1833f476766f88cfb624e66eef79
>> 06bdf8c%2FCMakeLists.txt%23L98&data=02%7C01%7Cneladk%40microsoft.
>> com%7C9cc71f33a3014260e36f08d77d0fe11b%7C72f988bf86f141af91ab2d7cd011
>> db47%7C1%7C0%7C637115379469052876&sdata=wkV8x6Ce1A0Wf%2FMN%2F%2B9
>> FDSYwQ9z47YI6bc6RwqrTcEg%3D&reserved=0
>
> Yes, that could be a solution for the problem we discuss, providing 
> both integrity and confidentiality, without any major OpenBMC 
> development necessary - but it would mean more operational burden for 
> BMC admins. The problem with SCP/SFTP in this context is that for this 
> to work in the same manner as TFTP, the BMC must be an SSH client - 
> i.e. have some sort of identity/credentials for the SCP/SFTP server 
> provisioned first. That might not be the easiest solution to setup, 
> but it's of course possible and can be automated if OpenBMC provides 
> respective config knobs.
>
> Existing ways we have in code-update.md either don't require 
> credentials (TFTP), so being a client is easy, or are not making a 
> "client" from BMC, it's the admin who uploads stuff (SCP/REST).

Yes, that's what I was thinking.  (And no, I am not going to recommend setting up a SCP or SFTP server that allows anonymous access.)

This highlight the need for OpenBMC to put together a guide to provisioning your BMC.    Such as guide would give us a place to talk about uploading to the BMC SSH client certificates needed to access and download the firmware images.

- Joseph

>
> regards,
> Alexander
>

More information about the openbmc mailing list